#!/bin/sh
NFT="/usr/sbin/nft"

# drop ICMP echo-request messages directed to broadcast or multicast
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# disable source routed packets
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send Redirect Messages
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible addresses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Removing Any Preexisting Rules
$NFT flush ruleset

if [ "$1" = "stop" ]
then
    echo "Firewall completely stopped!"
    exit 0
fi

$NFT -I . -f setup-tables
$NFT -I . -f localhost-policy
$NFT -I . -f connectionstate-policy
$NFT -I . -f invalid-policy
$NFT -I . -f dns-policy
$NFT -I . -f tcp-client-policy
$NFT -I . -f tcp-server-policy
$NFT -I . -f icmp-policy
$NFT -I . -f log-policy

